Accenture left four servers of sensitive data completely unprotected

UpGuard has yet again uncovered a trove of corporate data left unprotected, this time from major consulting and management firm Accenture. The data -- contained on four cloud-based storage servers -- were discovered by UpGuard Director of Cyber Risk Research Chris Vickery in mid-September and weren't protected by a password. Anyone with the servers' web addresses could download the stored information, which included decryption keys, passwords and customer info. And Accenture's client list includes a number of large companies. On its website, Accenture says its clients "span the full range of industries around the world and include 94 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500."

UpGuard says that the information stored on the unprotected servers could have been used to attack Accenture itself as well as a number of its clients and Vickery told ZDNet that the data amounted to the "keys to the kingdom." In a blog post about the exposure, UpGuard said, "Taken together, the significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage."

UpGuard quickly notified Accenture after discovering the exposed data and the company secured the servers soon thereafter. Accenture also said that UpGuard was the only non-authorized visitor to access the servers. Accenture told ZDNet, "We closed the exposure when the Amazon Web Services S3 issue was first reported. As we continue our forensic review we may learn more but, the email and password information in the database is more than two and a half years old and for Accenture users of a decommissioned system."